Do Shoppers Even Care About Data Breaches?

In the wake of a data breach that exposed credit card information of 5 million shoppers at Saks Fifth Avenue and Lord & Taylor, parent company Hudson's Bay Co. was hit with a multimillion-dollar class action. It's one of three major retailers to disclose a major security mishap in the past month, joining Sears Holdings Corp. (SHLD) , whose third-party software provider, [24]7.ai Inc., found an incident affected the online payment information of 100,000 Sears customers, and Under Armour Inc. (UAA) , which said the information of roughly 150 million shoppers had been compromised.

Investors, however, seem unfazed. Sears and Hudson's Bay both saw shares flutter downward following their announcements of their incidents, but as of Tuesday, April 10 — five days after the latter was hit with the lawsuit — the stocks had rallied to prebreach levels. Sears shares, in fact, were up nearly 9% Tuesday afternoon, trading at $3.07 at market's close. And Under Armour, despite bearing the worst breach of the three, hardly saw any effect, as the athletic apparel retailer already has underperformed over the past 12 months.

It very well may be that American consumers are not actually all that concerned with data breaches, sources said, pointing to the dearth of consequences that retailers and other consumer-facing companies are dealt in the aftermath of an incident.

"It could be that, unfortunately, data breaches have become so common that consumers either can't keep up with the news flow or are more forgiving because of their frequency," said Mark Hamrick, senior economic analyst for Bankrate.com.

Retail consultant Michael Berne echoed the theory that consumers may be desensitized by the prevalence of hacks.

"Consumers might say in surveys that they will refuse to do business with a retailer if they have doubts about its data-security practices, but they must have short memories," he said.

"Retail is indeed the industry that seems to be targeted most often, yet with the notable exception of Target, where sales nosedived following its 2013 breach, the retailers that have fallen victim in recent years do not seem to have suffered all that much in the aftermath either in terms of lost revenue or reduced stock price," Berne added.

Target Corp. (TGT) was perhaps the last retailer to really suffer from customer data theft. Following the incident, which affected up to 70 million individuals, the retailer reported a 40% dip in quarterly profit and 3.8% decline in sales.

Despite customer sentiment, though, a data breach can still be costly, according to Paige Schaffer, CEO of Generali Global Assistance identity and digital protection services. She pointed to data that shows an incident could cost a retailer up to $172 per record exposed, although the average data breach now costs about $7 million overall.

"There's also reputational impact, PR costs and also costs depending on the regulation in each state. The onus is on these companies to not have arrogance on this and make security part of their corporate culture," she said. "Banks, for instance, have gotten really good at protecting the consumer."

To begin with, retailers can be pickier with what third-party vendors they choose to work with, such as Sears' mistake with [24]7.ai, said Brian Johnson, CEO of cloud infrastructure platform Divvy Cloud Corp.

"Retailers are not tech companies; they're logistics companies with store fronts, so they're not exacting keeping up with how fast technology is moving," he said. "Luckily, there are are a lot of really strong companies that could help."

While victims of a security breach rarely see any severe impact on their bottom lines, there could be ramifications that have yet to be seen, Johnson added.

To that point, others are in agreement.

Consumer desensitization in and of itself could be a problem, Hamrick said.

Perhaps the most serious effect of the breaches is that consumer disinterest has further discouraged retailers to not be "more careful about the risks associated with negligence," he said.